In a devastating blow to almost 20% of Facebook’s 2.3 billion users, several unprotected databases were discovered online that contain 419 million records of Facebook users, reports TechCrunch. The databases were found on a server and had no password protections in place, which meant they were freely accessible to anyone with an internet connection.

Among the databases were records of 133 million U.S.-based Facebook users, 18 million U.K.-based users, and one with 50 million records on users in Vietnam. Each record in the databases contains a Facebook user’s unique ID and the phone number listed on the account. Some of the records also contain the user’s name, gender, and country location.

It’s important to note that Facebook itself has not been hacked. Rather, the databases contained scraped information about Facebook users when Facebook still allowed developers access to user’s phone numbers, which it revoked in 2018.

It’s unknown who owned the databases, though they have been pulled from the server they were contained on after the web hosting company was notified of their existence. When TechCrunch reached out to Facebook for comment on the discovered databases, Facebook said:

This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.

Still, the massive leak of 419 million Facebook users’ phone numbers presents an incredible security risk for those users. SIM-hacking is becoming a more common way of targeting users for identity theft, and all a bad actor needs is a person’s phone number and some basic information that could be gleaned from social engineering. Additionally, the leaked phone numbers also expose 419 million people to potentially more spam phone calls.